Windows 2003 user password problem

Posted on 2006-06-29
Last Modified: 2008-08-18
We have some users that are in remote offices connected via a VPN client (cisco). I've noticed that they will get their 60 day domain password change notice, and once t hey do that, it seems that their machine password doesn't sync, and the password is completely off.

Is there a certain way everyone deals with this?
Question by:shankshank

Expert Comment

ID: 17013093
Passwords fail to synchronize in a Windows domain, seemingly at random

Cause:  Password Synchronization is not configured identically on all domain controllers in the domain. As a result, if a nonconforming domain controller accepts a user's password change, it might not be able to change the password on UNIX computers.

Solution:  Ensure that Password Synchronization is configured identically on all domain controllers, particularly host settings and default settings for encryption keys and ports.


Author Comment

ID: 17013143
That's not it since we can change while physically on the network with no problem

its the vpn that screws up


Accepted Solution

napoleon41 earned 168 total points
ID: 17014093
Are the remote computers members of the domain?  We had some problem with profiles and various mapping/logon scripts until we remove the remote computers from the domain.  Granted, a lot more stuff has to be configured manually, but we have small group of people working remotely (transcriptionists mostely).  

Now, we hook our users up with our SSL vpn gateway and have then rdp onto a terminal server.  Bye, bye remote issues.  Just food for thought. (            note:  they have a free edition because they built it on linux.  I love open source).

Assisted Solution

engineer_dell earned 166 total points
ID: 17014566
Two things I would try, first look for any cached passwords relating to your server on their remote machine.
Control Panel --> Users --> Advanced --> Manage passwords

Also you may want to edit the host and the lmhost files so that they have entries for your server.

A VPN router running Windows Server 2003 supports the logging of authentication and accounting information for VPN connections in local logging files when Windows authentication or Windows accounting is enabled. This logging is separate from the events recorded in the system event log. You can use the information that is logged to track site-to-site connection usage and authentication attempts. Authentication and accounting logging is especially useful for troubleshooting remote access policy issues. For each authentication attempt, the name of the remote access policy that either accepted or rejected the connection attempt is recorded.

The authentication and accounting information is stored in a configurable log file or files stored in the SystemRoot\System32\LogFiles folder. The log files are saved in Internet Authentication Service (IAS) or database-compatible format, meaning that any database program can read the log file directly for analysis.

If the VPN router is configured for RADIUS authentication and accounting and the RADIUS server is a computer running Windows Server 2003 and IAS, the authentication and accounting logs are stored in the SystemRoot\System32\LogFiles folder on the IAS server computer.

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.


Assisted Solution

ssmith764 earned 166 total points
ID: 17071920

I may be barking up the wrong tree here but is the VPN a permanent connection from the remote office or do the users start the connection from their machines? The reason I ask is if the users are not actually logging in to the domain but are logging in to their machine with cached credentials and THEN starting the vpn connection, when they change their passwords over the vpn the cached password on their machine will not be changed.

Expert Comment

ID: 17073429
That's good thinking ssmith764.  I have never actually used the VPN "client" in a situation where the remote computer is a member of the domain.  Computers using the VPN client are not members of the domain.

All of our full-time remote users are LAN-to-LAN where they are on a permanent tunnel with a router/pix501 at their house to provide the tunneling to the concentrator on site.  To those computers, the VPN is transparent and they might as well be jacked into a switch on site.  Computer/User security policies are slower (their login time slower), but everything else works fine.

Obviously that requires some ACL rules to prevent their Internet traffic from pulling through the VPN, and for security issues, we have chosen to deny their "company provided computer" from accessing the Internet.  We have, though, setup rules to give their personal computer(s) access to the Internet and deny them from the VPN.  Usually this is done by giving the company computer a static IP address and then providing a DHCP pool for their personal computers.

Security, security, security.


Author Comment

ID: 17266244
Smith: The vpn connection is not a permanent connection, but a vpn client run after the user logs in.
napoleon: I am curious on your topic of the router/pix501 setup, and not having the users ability to access the net through vpn. I wouldn't mind implementing a setup like that for me so that these vpn clients can access our network fine, but internet traffic goes through their cable modem or isp instead of through the vpn


Expert Comment

ID: 17266933
Basically, there is a pix501 (or a soho) router at their house that is the first device in the chain from their Internet connection.  The Pix controlls the Internet connection and access, and maintains a more or less permanent VPN connection with the Cisco Concentrator (used to use a PIX though) at the hospital.  This type of connection is called a Lan-to-Lan VPN.

The pix501 hands out a dhcp address, subnet mask, and default gateway to them and contains routing information.  

Hospital Network -
Remote user's home network -

For security and functions, we configure various ACL's (access control lists) and/or routing statement that direct the user's traffic.  If the destination is a 172.16 address, the 501 forwards the traffic down the VPN.  Any Internet traffic is sent out their Internet connection (and not the hospitals), and any local traffic is kept in their local network (printer, home network, XBOX, etc . . . ).  Usually, we statically assign their "company computer's" IP address and only allow that station access to the VPN.  

All of our VPN's use IPSEC, but with Cisco devices, you can pretty much do anything you want.

Diagrams and descriptions of how to setup to PIX firewalls for a LAN-to-LAN VPN using the PDM (gui) interface.  It covers the basics without getting into the command line cisco.  I have found it difficult to use only the PDM, though, and end up doing most of my configurations of ANY major network device through the command line interface.  But, hey!  This one has pictures.  Ha!

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Windows update on Win 7 Home prem. 17 85
Tablets in POS (point of sale) environment 5 169
Hibernate on windows 10 18 116
Problem with Filesystemobject or .NET version 3 31
Just about everyone has an old PC laying around.  Ask anyone in the IT industry, whether they are a professional or play in it as a hobby.  From outdated Desktops to cheap "throwaway" laptops, they are all around and not as hard to "fix up" as you m…
In this article we will discuss all things related to StageFright bug, the most vulnerable bug of android devices.
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

930 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now